lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3aa800bb9f664910da24d5cfe9507c07.squirrel@gameframe.net> Date: Sun, 30 Oct 2011 16:49:20 +0200 From: nix@...roxylists.com To: "Mark Andrews" <marka@....org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: bind-9.8.1 remote code exec exploit? > > In message <c2122821abc4d89254092500a8814215.squirrel@...eframe.net>, > nix@...ro > xylists.com writes: >> Hello list. >> >> I've source compile of BIND 9.8.1 on the server. >> >> I've been investigating weird iptables messages as follows: >> >> Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP >> DST=62.80.128.29 >> LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060 >> LEN=94 >> >> I received a message from my ISP abuse that my server is scanning SIP >> port >> 5060 and I set the firewall rule to deny/log all UDP connections out of >> the box to port 5060 to get timestamps for further investigation. This >> happened before I set the firewall rule. > > You are just blocking legitimate reply traffic. Your ISP is probably > misclassifying traffic it sees destined to port 5060. Nameservers > randomly pick source ports to make it harder for off path attackers > to spoof reply packets and, unless something is already using port > 5060, port 5060 is fair game. > > You can stop your own nameservers using 5060 as a query source port > with avoid-v4-udp-ports but it doesn't do much to help with queries > to you. > > avoid-v4-udp-ports { 5060; }; > avoid-v6-udp-ports { 5060; }; > > You should also adjust your firewall to let packets sourced from > port 53 on your nameservers to any port go through. That way you > won't get false positives. > > Mark > >> /var/log/named.log >> >> 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error >> sending response: host unreachable >> 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060: >> error >> sending response: host unreachable >> 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error >> sending response: host unreachable >> 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060: >> error >> sending response: host unreachable >> 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060: >> error >> sending response: host unreachable >> 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060: >> error >> sending response: host unreachable >> 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060: >> error >> sending response: host unreachable >> 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error >> sending response: host unreachable >> 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error >> sending response: host unreachable >> 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060: >> error >> sending response: host unreachable >> 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060: >> error >> sending response: host unreachable >> 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060: >> error >> sending response: host unreachable >> 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060: >> error >> sending response: host unreachable >> >> Timestamps matches exactly to kernel's firewall log. Every time BIND >> error >> log has the above entry, the box tries to scan for SIP port 5060. >> >> Is it possible to scan ports through BIND or exec code by sending a >> specially crafted request? >> >> PS. I have been tracking this issue for a week and no other timestamps >> matches exactly to this isssue. I have currently grsec' exec logging on >> and hoping this issue occurs soon so I can see will it execute extra >> code >> under the user 'bind'. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@....org > Thanks everyone for clarification. The port scan issue I had with the other host actually happened before I set up name server. At that time I could not determine what is causing it and I left this issue alone due to lot of other work. Then I set a firewall rule to log/deny UDP port 5060. After wards I installed name server on this server and started to see those iptables messages and though that something is connection out of the box to port 5060 that should not. I was not aware that BIND uses random ports and obviously 5060 as well. Hopefully I explained clear enough what causes this confusion. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists